support for (secure) downloads, ideally via a browser (no special software required)

support for (secure) uploads, ideally via sftp (most of our customers are familiar with ftp)

Our target was RHEL/CentOS 7, but this should transfer to other linuxes pretty
readily.

Here's the schema we ended up settling on, which seems to give us a good mix of
security and flexibility.

use apache with HTTPS and PAM with local accounts, one per customer, and nologin
shell accounts

users have their own groups (group=$USER), and also belong to the sftp group

we use the users group for internal company accounts, but NOT for customers

customer data directories live in /data

we use a 3-layer hierarchy for security: /data/chroot_$USER/$USER
are created with a nologin shell

the /data/chroot_$USER directory must be owned by root:$USER, with
permissions 750, and is used for an sftp chroot directory (not writeable
by the user)

the next-level /data/chroot_$USER/$USER directory should be owned by $USER:users,
with permissions 2770 (where users is our internal company user group, so both
the customer and our internal users can write here)

we also add an ACL to /data/chroot_$USER to allow the company-internal users
group read/search access (but not write)

We just use openssh internal-sftp to provide sftp access, with the following config:

So we chroot sftp connections to /data/chroot_$USER and then (via the ForceCommand)
chdir to /data/chroot_$USER/$USER, so they start off in the writeable part of their
tree. (If they bother to pwd, they see that they're in /$USER, and they can chdir
up a level, but there's nothing else there except their $USER directory, and they
can't write to the chroot.)